The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

Continued from page 2

There are two challenges for companies wanting to make this shift, however. The first relates to how most companies are operationally aligned and the second has to do with timing.

In most organizations responsibility for the enforcement of mandated and voluntary standards, policies, procedures and other internal controls falls to people in a very limited number of functions, if not a single department. If a compliance violation or ethical misconduct occurs, who handles it? Typically, it’s some type of ethics and compliance department, the legal team or someone in the risk or corporate security functions. These internal goalkeepers have one job―to stop the opponent, namely potential wrongdoers ―and they have an imperfect and, ultimately, inadequate set of tools (policies, rules and other internal controls) to execute their job.

Timing is also a problem. Think about when corporate risk management endeavors reached their peak intensity level: after Enron, WorldCom, Sarbanes-Oxley and after the global economic crisis. We batten down the hatches, slash R&D investments, command our organizational goalkeepers to step up their enforcement of the rules and hunker down until the risk passes. We falsely regard this as building for “resiliency”.

Once the threat fades, our companies loosen the purse strings, relax all those restrictive rules and command rainmakers and innovators to do whatever it takes to achieve growth. This is what we call “growth mode”.

This “either/or” approach to resiliency and growth no longer maps to a world in which volatility and uncertainty pervade. We need an “and” approach so that our companies can get resiliency and growth simultaneously.

Three Levers for CEOs

Getting these beneficial outcomes requires a commitment to a long-term journey rather than the implementation of a six-week program. It requires becoming deliberate about shaping your culture as fundamental to corporate strategy, and seeing culture itself as a strategy for winning. Journeys are more arduous than programs, but they can be pursued with similar rigor and discipline.

The CEO looking to lead this change must begin by looking diagnostically at his or her company in 3 critical areas. The first is how you govern: the policies, controls, rules, org charts, goals and objectives that represent the formal structures of governance. The second is how you behave: the values, principles, habits, mindsets and history that make up a company’s culture. The third aspect is the leadership model. How do you lead? Is it through command and control, or do you connect and collaborate with colleagues? Do you share information transparently or on a ‘need-to-know’ basis? And once you have focused on these areas, you have to look at how they work together. Are they fighting or reinforcing one other?

For example, I know many earnest executives who genuinely believe that they're empowering their people. They tell an individual, "I trust you to innovate." The individual goes off inspired by the trust extended but then runs into the four approvals needed for the first round of investment. The individual concludes that the CEO is a hypocrite. “He told me to innovate but doesn't mean it.” But the CEO isn’t a hypocrite. He's just presiding over a system of governance, culture, and leadership that is not in sync. The objective here is to build a “super-system” of governance, culture, and leadership that works together.

Recently in New York I saw a Boeing 747 retire the NASA space shuttle Enterprise. In 1986 when the Challenger shuttle tragically blew up, we went into NASA and we asked questions. The Rogers Commission pried open NASA to investigate why the tragic loss occurred. The commission determined that the accident was caused by a failure in components called O-rings, a design flaw that NASA policies, procedures and internal controls should have identified and corrected. In other words, the problem was largely related to a lack of necessary governance, risk and compliance.

During a subsequent 32-month shuttle-launch hiatus, NASA recommitted itself to strengthening its governance, risk and compliance infrastructure. In doing so, by most accounts, NASA became one of the most tightly-controlled, rules- and procedures-based organizations. When our country suffered another shuttle tragedy in 2003, the Columbia disaster, the Columbia Accident Investigation Board (CAIB) report placed more emphasis on failures of NASA’s culture and humanity. The free exchange of information was discouraged, according to the report, and engineers no longer asked sufficiently tough question about risks. The NASA example taught us lessons that could be applied to every organization and we didn’t learn them.

This problem is not new. I attested to it eight years ago. The question and answer that I posed at the beginning of this column was pulled directly from my 2004 testimony to the U.S. Sentencing Commission at which I argued that the notion of a compliance program should be replaced with a commitment to a culture where compliance is an outcome of deep connection to a fundamental set of values and a mission and purpose of significance.

Getting compliance by doing compliance has been a false choice.

To truly get compliance, we need to do governance, culture and leadership in a systematic and comprehensive way. The good news is that we can.